Change getResource() to be a taint step

luchua-bc · luchua-bc · commit f0c4b1955b1f · 2022-04-19T15:55:09.000Z
diff --git a/java/ql/lib/semmle/code/java/frameworks/Servlets.qll b/java/ql/lib/semmle/code/java/frameworks/Servlets.qll
@@ -385,10 +385,18 @@ library class ServletContext extends RefType {
   ServletContext() { this.hasQualifiedName("javax.servlet", "ServletContext") }
 }
 
-/** The `getResource` and `getResourceAsStream` methods of `ServletContext`. */
+/** The `getResource` method of `ServletContext`. */
 class GetServletResourceMethod extends Method {
   GetServletResourceMethod() {
     this.getDeclaringType() instanceof ServletContext and
-    this.hasName(["getResource", "getResourceAsStream"])
+    this.hasName("getResource")
+  }
+}
+
+/** The `getResourceAsStream` method of `ServletContext`. */
+class GetServletResourceAsStreamMethod extends Method {
+  GetServletResourceAsStreamMethod() {
+    this.getDeclaringType() instanceof ServletContext and
+    this.hasName("getResourceAsStream")
   }
 }
diff --git a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql
@@ -41,6 +41,20 @@ class UnsafeUrlForwardFlowConfig extends TaintTracking::Configuration {
   override DataFlow::FlowFeature getAFeature() {
     result instanceof DataFlow::FeatureHasSourceCallContext
   }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node prev, DataFlow::Node succ) {
+    exists(MethodAccess ma |
+      (
+        ma.getMethod() instanceof GetServletResourceMethod or
+        ma.getMethod() instanceof GetFacesResourceMethod or
+        ma.getMethod() instanceof GetClassResourceMethod or
+        ma.getMethod() instanceof GetClassLoaderResourceMethod or
+        ma.getMethod() instanceof GetWildflyResourceMethod
+      ) and
+      ma.getArgument(0) = prev.asExpr() and
+      ma = succ.asExpr()
+    )
+  }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, UnsafeUrlForwardFlowConfig conf
diff --git a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll
@@ -19,19 +19,35 @@ private class RequestDispatcherSink extends UnsafeUrlForwardSink {
   }
 }
 
-/** The `getResource` and `getResourceAsStream` methods of `Class`. */
+/** The `getResource` method of `Class`. */
 class GetClassResourceMethod extends Method {
   GetClassResourceMethod() {
     this.getSourceDeclaration().getDeclaringType().hasQualifiedName("java.lang", "Class") and
-    this.hasName(["getResource", "getResourceAsStream"])
+    this.hasName("getResource")
+  }
+}
+
+/** The `getResourceAsStream` method of `Class`. */
+class GetClassResourceAsStreamMethod extends Method {
+  GetClassResourceAsStreamMethod() {
+    this.getSourceDeclaration().getDeclaringType().hasQualifiedName("java.lang", "Class") and
+    this.hasName("getResourceAsStream")
   }
 }
 
-/** The `getResource` and `getResourceAsStream` methods of `ClassLoader`. */
+/** The `getResource` method of `ClassLoader`. */
 class GetClassLoaderResourceMethod extends Method {
   GetClassLoaderResourceMethod() {
     this.getDeclaringType().hasQualifiedName("java.lang", "ClassLoader") and
-    this.hasName(["getResource", "getResourceAsStream"])
+    this.hasName("getResource")
+  }
+}
+
+/** The `getResourceAsStream` method of `ClassLoader`. */
+class GetClassLoaderResourceAsStreamMethod extends Method {
+  GetClassLoaderResourceAsStreamMethod() {
+    this.getDeclaringType().hasQualifiedName("java.lang", "ClassLoader") and
+    this.hasName("getResourceAsStream")
   }
 }
 
@@ -66,13 +82,14 @@ class GetVirtualFileMethod extends Method {
 /** An argument to `getResource()` or `getResourceAsStream()`. */
 private class GetResourceSink extends UnsafeUrlForwardSink {
   GetResourceSink() {
+    sinkNode(this, "open-url")
+    or
     exists(MethodAccess ma |
       (
-        ma.getMethod() instanceof GetServletResourceMethod or
-        ma.getMethod() instanceof GetFacesResourceMethod or
-        ma.getMethod() instanceof GetClassResourceMethod or
-        ma.getMethod() instanceof GetClassLoaderResourceMethod or
-        ma.getMethod() instanceof GetWildflyResourceMethod or
+        ma.getMethod() instanceof GetServletResourceAsStreamMethod or
+        ma.getMethod() instanceof GetFacesResourceAsStreamMethod or
+        ma.getMethod() instanceof GetClassResourceAsStreamMethod or
+        ma.getMethod() instanceof GetClassLoaderResourceAsStreamMethod or
         ma.getMethod() instanceof GetVirtualFileMethod
       ) and
       ma.getArgument(0) = this.asExpr()
diff --git a/java/ql/src/experimental/semmle/code/java/frameworks/Jsf.qll b/java/ql/src/experimental/semmle/code/java/frameworks/Jsf.qll
@@ -14,11 +14,21 @@ class ExternalContext extends RefType {
 }
 
 /**
- * The methods `getResource()` and `getResourceAsStream()` declared in JSF `ExternalContext`.
+ * The method `getResource()` declared in JSF `ExternalContext`.
  */
 class GetFacesResourceMethod extends Method {
   GetFacesResourceMethod() {
     this.getDeclaringType().getASupertype*() instanceof ExternalContext and
-    this.hasName(["getResource", "getResourceAsStream"])
+    this.hasName("getResource")
+  }
+}
+
+/**
+ * The method `getResourceAsStream()` declared in JSF `ExternalContext`.
+ */
+class GetFacesResourceAsStreamMethod extends Method {
+  GetFacesResourceAsStreamMethod() {
+    this.getDeclaringType().getASupertype*() instanceof ExternalContext and
+    this.hasName("getResourceAsStream")
   }
 }
